NordVPN Promotion

Home / Industry

The Oscars and Suspicious Web Activity: What’s the Link?

It’s not unusual for movies, actors, and actresses to serve as lures in cyber attacks. Our recent post on “Spider-Man: No Way Home” proved that. Phishers and other threat actors will, unfortunately, try to capitalize on anything that’s bound to get a lot of user attention. And the annual Oscar Awards is no stranger to such a scenario. Just last year, in fact, hackers used nominated films as phishing baits. This year may be no different.

We hope to forewarn users of such a threat this time, though. So we collected a list of domains and subdomains containing the titles of the movies and names of actors and actresses competing for Oscar awards this year.

Our deep dive resulted in interesting findings, including:

  • Almost 5% of the domains containing the best picture, actor, and actress contenders were dubbed “dangerous” by various malware engines.
  • The malicious web properties we found so far resolved to seven unique IP addresses, one of which turned out to be malicious, too.
  • As expected, several of the domains and subdomains analyzed were newly registered, likely since predictions of contenders were announced.

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

What Our Analysis Revealed

We began our investigation by collating lists of domains and subdomains containing the strings in the table below via Domains & Subdomains Discovery.

Best PictureBest ActorBest Actress
powerofthedog
belfast + movie
king + richard + movie
westsidestory + movie
licorice + pizza
coda + movie
dune + 2021
nightmarealley + movie
will + smith
benedict + cumberbatch
andrew + garfield
denzel + washington
javier + bardem
nicole + kidman
olivia + colman
penelope + cruz
kristen + stewart
lady + gaga

While 10 movies are up for the Best Picture title, we didn’t find domains and subdomains containing strings for “Don’t Look Up” and “Drive My Car.” That said, we still found 159 sites (103 domains and 56 subdomains) containing the movie string combinations listed above. We also found 3,430 pages (1,994 domains and 1,436 subdomains) indicating ties to the five best actor nominees and 5,472 sites (1,556 domains and 3,916 subdomains) showing connections to the five best actress contenders.

It’s also interesting to note that the more popular an actor or actress is, the more domains and subdomains there were dedicated to them. Take a look at the comparisons between their web property volumes and Google Trends reports below.

Best actor category: Will Smith topped both charts.
Best actress category: Lady Gaga was topnotcher for both.

While very few of the web properties were dubbed “dangerous” by various malware engines, five domains and four subdomains to be exact, to date, more of them could be compromised and weaponized as the Oscars 2022 fever continues until the show gets aired on 27 March. The malicious web properties, after a bulk malware check via the Threat Intelligence Platform (TIP), are listed below.

Malicious DomainsMalicious Subdomains
denzelwashington[.]tv
smithwillsma[.]com
willsmithcreative[.]com
willsmith4alabama[.]com
smithandwillaimson[.]com
ladygagaph[.]co[.]nr
ladygagaombro[.]blogspot[.]com
ladygagaislord[.]tumblr[.]com
kristenstewartplayboy[.]blogspot[.]com[.]br

Running the malicious web properties through a bulk DNS lookup revealed that they resolved to eight IP addresses. One IP host 34[.]102[.]136[.]180 (for willsmithcreative[.]com) should especially be avoided, as it was deemed malicious by several malware engines.

Interestingly, though, even if seven of the shared IP hosts weren’t tagged “dangerous,” at least two of them (since our list of connected domains were limited to five each) hosted malicious domains. For those who use IP-level blocking, blacklisting 216[.]10[.]249[.]8 and 198[.]54[.]115[.]140, apart from the malicious web properties identified above, could be a good idea. These ties show why expanding initial lists of indicators of compromise (IoCs) and artifacts is critical if users wish to employ utmost protection.

A bulk WHOIS lookup for the 3,653 domains showed that 29 of them were newly registered. While we can’t be sure, that could have a lot to do with the contenders’ recent Oscar nominations.


Many people are bound to look for sites containing more information on the Oscars 2022 nominees. And while none of the movie-themed web properties are tagged “malicious” now, threat actors could poison them. Some who may wish to stream or download copies of the movies may end up with malware infections instead. And those who want to learn more about the actors and actresses should stay away from the dangerous domains, subdomains, and IP addresses mentioned here.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

NordVPN Promotion